veryfront 0.1.217 → 0.1.218

package/esm/deno.d.ts

@@ -3,6 +3,7 @@ declare namespace _default {
     let version: string;
     let license: string;
     let nodeModulesDir: string;
+    let workspace: string[];
     let exclude: string[];
     let exports: {
         ".": string;
@@ -250,9 +251,7 @@ declare namespace _default {
         "tailwindcss/plugin": string;
         "tailwindcss/defaultTheme": string;
         "tailwindcss/colors": string;
-        redis: string;
         pg: string;
-        jose: string;
         "@opentelemetry/api": string;
         "@opentelemetry/core": string;
         "@opentelemetry/context-async-hooks": string;

package/esm/deno.js

@@ -1,8 +1,11 @@
 export default {
     "name": "veryfront",
-    "version": "0.1.217",
+    "version": "0.1.218",
     "license": "Apache-2.0",
     "nodeModulesDir": "auto",
+    "workspace": [
+        "./extensions/ext-redis"
+    ],
     "exclude": [
         "npm/",
         "dist/",
@@ -12,7 +15,8 @@ export default {
         "data/",
         ".deno_cache/",
         "cli/templates/files/",
-        "cli/templates/integrations/"
+        "cli/templates/integrations/",
+        "extensions/"
     ],
     "exports": {
         ".": "./src/index.ts",
@@ -260,9 +264,7 @@ export default {
         "tailwindcss/plugin": "https://esm.sh/tailwindcss@4.2.2/plugin",
         "tailwindcss/defaultTheme": "https://esm.sh/tailwindcss@4.2.2/defaultTheme",
         "tailwindcss/colors": "https://esm.sh/tailwindcss@4.2.2/colors",
-        "redis": "npm:redis@5.11.0",
         "pg": "npm:pg@8.13.1",
-        "jose": "npm:jose@5.9.6",
         "@opentelemetry/api": "npm:@opentelemetry/api@1.9.0",
         "@opentelemetry/core": "npm:@opentelemetry/core@2.6.0",
         "@opentelemetry/context-async-hooks": "npm:@opentelemetry/context-async-hooks@2.6.0",

package/esm/src/extensions/interfaces/auth-provider.d.ts

@@ -32,18 +32,45 @@ export interface VerifyOptions {
     /** Additional implementation-specific options. */
     [key: string]: unknown;
 }
+/**
+ * The parsed, unverified header of a JWT.
+ *
+ * Returned by {@link AuthProvider.decode}. `alg` is the signing algorithm
+ * advertised by the token (e.g. `"HS256"`, `"RS256"`); additional fields
+ * such as `kid` or `typ` may be present.
+ */
+export interface TokenHeader {
+    /** Signing algorithm advertised by the token header. */
+    alg?: string;
+    /** Additional header fields. */
+    [key: string]: unknown;
+}
 /**
  * AuthProvider contract interface.
  *
  * Implementations sign, verify, and decode authentication tokens
- * (e.g. JWTs) for request authentication.
+ * (e.g. JWTs) for request authentication, and verify third-party tokens
+ * against a remote JWKS.
  */
 export interface AuthProvider {
     /** Sign a payload into a token string. */
     sign(payload: TokenPayload, options?: SignOptions): Promise<string>;
     /** Verify a token and return its decoded payload. Throws on invalid tokens. */
     verify(token: string, options?: VerifyOptions): Promise<TokenPayload>;
-    /** Decode a token without verifying its signature. */
-    decode(token: string): TokenPayload | undefined;
+    /**
+     * Verify a token against a remote JSON Web Key Set.
+     *
+     * Fetches (and caches) the JWKS at `jwksUrl`, then verifies the token's
+     * signature and claims. Throws on invalid tokens, unreachable JWKS, or
+     * `kid`/algorithm mismatch.
+     */
+    verifyWithJwks(token: string, jwksUrl: string, options?: VerifyOptions): Promise<TokenPayload>;
+    /**
+     * Decode a token's protected header without verifying its signature.
+     *
+     * Returns `undefined` on malformed input. Useful for inspecting `alg`
+     * before choosing a verification strategy.
+     */
+    decode(token: string): TokenHeader | undefined;
 }
 //# sourceMappingURL=auth-provider.d.ts.map

package/esm/src/extensions/interfaces/auth-provider.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth-provider.d.ts","sourceRoot":"","sources":["../../../../src/src/extensions/interfaces/auth-provider.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,iDAAiD;AACjD,MAAM,WAAW,YAAY;IAC3B,gDAAgD;IAChD,GAAG,EAAE,MAAM,CAAC;IACZ,qDAAqD;IACrD,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,oDAAoD;IACpD,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,yBAAyB;IACzB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,mCAAmC;AACnC,MAAM,WAAW,WAAW;IAC1B,oEAAoE;IACpE,SAAS,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IAC5B,qDAAqD;IACrD,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,kDAAkD;IAClD,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,qCAAqC;AACrC,MAAM,WAAW,aAAa;IAC5B,qCAAqC;IACrC,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,kDAAkD;IAClD,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED;;;;;GAKG;AACH,MAAM,WAAW,YAAY;IAC3B,0CAA0C;IAC1C,IAAI,CAAC,OAAO,EAAE,YAAY,EAAE,OAAO,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IACpE,+EAA+E;IAC/E,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,aAAa,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;IACtE,sDAAsD;IACtD,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,YAAY,GAAG,SAAS,CAAC;CACjD"}
+{"version":3,"file":"auth-provider.d.ts","sourceRoot":"","sources":["../../../../src/src/extensions/interfaces/auth-provider.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,iDAAiD;AACjD,MAAM,WAAW,YAAY;IAC3B,gDAAgD;IAChD,GAAG,EAAE,MAAM,CAAC;IACZ,qDAAqD;IACrD,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,oDAAoD;IACpD,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,yBAAyB;IACzB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,mCAAmC;AACnC,MAAM,WAAW,WAAW;IAC1B,oEAAoE;IACpE,SAAS,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IAC5B,qDAAqD;IACrD,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,kDAAkD;IAClD,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,qCAAqC;AACrC,MAAM,WAAW,aAAa;IAC5B,qCAAqC;IACrC,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,kDAAkD;IAClD,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED;;;;;;GAMG;AACH,MAAM,WAAW,WAAW;IAC1B,wDAAwD;IACxD,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,gCAAgC;IAChC,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED;;;;;;GAMG;AACH,MAAM,WAAW,YAAY;IAC3B,0CAA0C;IAC1C,IAAI,CAAC,OAAO,EAAE,YAAY,EAAE,OAAO,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IACpE,+EAA+E;IAC/E,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,aAAa,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;IACtE;;;;;;OAMG;IACH,cAAc,CACZ,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE,aAAa,GACtB,OAAO,CAAC,YAAY,CAAC,CAAC;IACzB;;;;;OAKG;IACH,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,WAAW,GAAG,SAAS,CAAC;CAChD"}

package/esm/src/extensions/interfaces/index.d.ts

@@ -8,10 +8,11 @@
 import "../../../_dnt.polyfills.js";
 export type { BundleOptions, BundleOutput, Bundler, BundleResult, BundlerPlugin, BundlerPluginBuild, TransformOptions, TransformResult, } from "./bundler.js";
 export type { CacheStore } from "./cache-store.js";
+export type { TokenCacheEntry, TokenCacheStats, TokenCacheStore } from "./token-cache-store.js";
 export type { CSSProcessOptions, CSSProcessor, CSSProcessResult } from "./css-processor.js";
 export type { ContentTransformer, ContentTransformOptions, ContentTransformResult, } from "./content-transformer.js";
 export type { DatabaseClient, QueryResult } from "./database-client.js";
-export type { AuthProvider, SignOptions, TokenPayload, VerifyOptions } from "./auth-provider.js";
+export type { AuthProvider, SignOptions, TokenHeader, TokenPayload, VerifyOptions, } from "./auth-provider.js";
 export type { SpanData, TracingExporter } from "./tracing-exporter.js";
 export type { AIModelProvider, ChatMessage, CompletionOptions, CompletionResult, ContentPart, StreamChunk, ToolDefinition, } from "./ai-model-provider.js";
 export type { EmbeddingOptions, EmbeddingProvider, EmbeddingResult } from "./embedding-provider.js";

package/esm/src/extensions/interfaces/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/src/extensions/interfaces/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,4BAA4B,CAAC;AAEpC,YAAY,EACV,aAAa,EACb,YAAY,EACZ,OAAO,EACP,YAAY,EACZ,aAAa,EACb,kBAAkB,EAClB,gBAAgB,EAChB,eAAe,GAChB,MAAM,cAAc,CAAC;AAGtB,YAAY,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAGnD,YAAY,EAAE,iBAAiB,EAAE,YAAY,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAG5F,YAAY,EACV,kBAAkB,EAClB,uBAAuB,EACvB,sBAAsB,GACvB,MAAM,0BAA0B,CAAC;AAGlC,YAAY,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAGxE,YAAY,EAAE,YAAY,EAAE,WAAW,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAGjG,YAAY,EAAE,QAAQ,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAGvE,YAAY,EACV,eAAe,EACf,WAAW,EACX,iBAAiB,EACjB,gBAAgB,EAChB,WAAW,EACX,WAAW,EACX,cAAc,GACf,MAAM,wBAAwB,CAAC;AAGhC,YAAY,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAGpG,YAAY,EACV,OAAO,EACP,UAAU,EACV,eAAe,EACf,cAAc,EACd,QAAQ,EACR,YAAY,EACZ,eAAe,GAChB,MAAM,kBAAkB,CAAC;AAG1B,YAAY,EACV,MAAM,EACN,eAAe,EACf,iBAAiB,EACjB,eAAe,EACf,gBAAgB,EAChB,iBAAiB,GAClB,MAAM,uBAAuB,CAAC;AAG/B,YAAY,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/src/extensions/interfaces/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,4BAA4B,CAAC;AAEpC,YAAY,EACV,aAAa,EACb,YAAY,EACZ,OAAO,EACP,YAAY,EACZ,aAAa,EACb,kBAAkB,EAClB,gBAAgB,EAChB,eAAe,GAChB,MAAM,cAAc,CAAC;AAGtB,YAAY,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAGnD,YAAY,EAAE,eAAe,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAGhG,YAAY,EAAE,iBAAiB,EAAE,YAAY,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAG5F,YAAY,EACV,kBAAkB,EAClB,uBAAuB,EACvB,sBAAsB,GACvB,MAAM,0BAA0B,CAAC;AAGlC,YAAY,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAGxE,YAAY,EACV,YAAY,EACZ,WAAW,EACX,WAAW,EACX,YAAY,EACZ,aAAa,GACd,MAAM,oBAAoB,CAAC;AAG5B,YAAY,EAAE,QAAQ,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAGvE,YAAY,EACV,eAAe,EACf,WAAW,EACX,iBAAiB,EACjB,gBAAgB,EAChB,WAAW,EACX,WAAW,EACX,cAAc,GACf,MAAM,wBAAwB,CAAC;AAGhC,YAAY,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAGpG,YAAY,EACV,OAAO,EACP,UAAU,EACV,eAAe,EACf,cAAc,EACd,QAAQ,EACR,YAAY,EACZ,eAAe,GAChB,MAAM,kBAAkB,CAAC;AAG1B,YAAY,EACV,MAAM,EACN,eAAe,EACf,iBAAiB,EACjB,eAAe,EACf,gBAAgB,EAChB,iBAAiB,GAClB,MAAM,uBAAuB,CAAC;AAG/B,YAAY,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC"}

package/esm/src/extensions/interfaces/token-cache-store.d.ts

@@ -0,0 +1,56 @@
+/**
+ * Contract interface for OAuth-token-style cache stores used by the proxy.
+ *
+ * This contract is richer than the generic `CacheStore` — it adds scan-by-prefix,
+ * bulk read, and usage statistics primitives that the proxy's token cache needs.
+ * Simpler key-value consumers should use `CacheStore` instead.
+ *
+ * Default implementation: `@veryfront/ext-redis`.
+ *
+ * @module extensions/interfaces/token-cache-store
+ */
+/**
+ * A cache entry stored by `TokenCacheStore`.
+ *
+ * The proxy persists OAuth tokens keyed by request metadata; this entry shape
+ * mirrors what the proxy has historically stored.
+ */
+export interface TokenCacheEntry {
+    token: string;
+    /** Unix timestamp in milliseconds. */
+    expiresAt: number;
+    scope: "preview" | "production";
+    projectSlug?: string;
+}
+/**
+ * Aggregate usage statistics for a `TokenCacheStore`.
+ */
+export interface TokenCacheStats {
+    hits: number;
+    misses: number;
+    size: number;
+    type: "memory" | "redis";
+}
+/**
+ * TokenCacheStore contract interface.
+ *
+ * Implementations provide TTL-aware token caching, plus scan and stats
+ * primitives that generic key-value caches do not require.
+ */
+export interface TokenCacheStore {
+    /** Retrieve a cached entry by key. Returns `null` on miss or expiry. */
+    get(key: string): Promise<TokenCacheEntry | null>;
+    /** Store an entry. TTL is derived from `entry.expiresAt`. */
+    set(key: string, entry: TokenCacheEntry): Promise<void>;
+    /** Delete a cached entry. No-op if the key does not exist. */
+    delete(key: string): Promise<void>;
+    /** Remove every entry owned by this store. */
+    clear(): Promise<void>;
+    /** Check whether a non-expired entry exists for the given key. */
+    has(key: string): Promise<boolean>;
+    /** Return current hit/miss/size statistics. */
+    stats(): Promise<TokenCacheStats>;
+    /** Close connections and release resources. */
+    close(): Promise<void>;
+}
+//# sourceMappingURL=token-cache-store.d.ts.map

package/esm/src/extensions/interfaces/token-cache-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-cache-store.d.ts","sourceRoot":"","sources":["../../../../src/src/extensions/interfaces/token-cache-store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH;;;;;GAKG;AACH,MAAM,WAAW,eAAe;IAC9B,KAAK,EAAE,MAAM,CAAC;IACd,sCAAsC;IACtC,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,SAAS,GAAG,YAAY,CAAC;IAChC,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,QAAQ,GAAG,OAAO,CAAC;CAC1B;AAED;;;;;GAKG;AACH,MAAM,WAAW,eAAe;IAC9B,wEAAwE;IACxE,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,GAAG,IAAI,CAAC,CAAC;IAClD,6DAA6D;IAC7D,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,eAAe,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACxD,8DAA8D;IAC9D,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACnC,8CAA8C;IAC9C,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IACvB,kEAAkE;IAClE,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IACnC,+CAA+C;IAC/C,KAAK,IAAI,OAAO,CAAC,eAAe,CAAC,CAAC;IAClC,+CAA+C;IAC/C,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CACxB"}

package/esm/src/extensions/interfaces/token-cache-store.js

@@ -0,0 +1,12 @@
+/**
+ * Contract interface for OAuth-token-style cache stores used by the proxy.
+ *
+ * This contract is richer than the generic `CacheStore` — it adds scan-by-prefix,
+ * bulk read, and usage statistics primitives that the proxy's token cache needs.
+ * Simpler key-value consumers should use `CacheStore` instead.
+ *
+ * Default implementation: `@veryfront/ext-redis`.
+ *
+ * @module extensions/interfaces/token-cache-store
+ */
+export {};

package/esm/src/extensions/recommendations.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"recommendations.d.ts","sourceRoot":"","sources":["../../../src/src/extensions/recommendations.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAiBH,wBAAgB,iBAAiB,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAE1E"}
+{"version":3,"file":"recommendations.d.ts","sourceRoot":"","sources":["../../../src/src/extensions/recommendations.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAkBH,wBAAgB,iBAAiB,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAE1E"}

package/esm/src/extensions/recommendations.js

@@ -6,6 +6,7 @@
 const recommendations = new Map([
     ["Bundler", "@veryfront/ext-esbuild"],
     ["CacheStore", "@veryfront/ext-redis"],
+    ["TokenCacheStore", "@veryfront/ext-redis"],
     ["CSSProcessor", "@veryfront/ext-tailwind"],
     ["ContentTransformer", "@veryfront/ext-mdx"],
     ["DatabaseClient", "@veryfront/ext-postgres"],

package/esm/src/proxy/cache/index.d.ts

@@ -5,8 +5,8 @@
  */
 export type { CacheOptions, CacheStats, MemoryCacheOptions, RedisCacheOptions, TokenCache, TokenCacheEntry, } from "./types.js";
 export { MemoryCache } from "./memory-cache.js";
-export { RedisCache } from "./redis-cache.js";
 export { ResilientCache } from "./resilient-cache.js";
+export { TracingTokenCache } from "./tracing-cache.js";
 import type { CacheOptions, TokenCache } from "./types.js";
 export declare function createCache(options: CacheOptions): Promise<TokenCache>;
 export declare function createCacheFromEnv(): Promise<TokenCache>;

package/esm/src/proxy/cache/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/src/proxy/cache/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,YAAY,EACV,YAAY,EACZ,UAAU,EACV,kBAAkB,EAClB,iBAAiB,EACjB,UAAU,EACV,eAAe,GAChB,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAEtD,OAAO,KAAK,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAU3D,wBAAsB,WAAW,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,UAAU,CAAC,CAS5E;AAED,wBAAsB,kBAAkB,IAAI,OAAO,CAAC,UAAU,CAAC,CA0B9D"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/src/proxy/cache/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,YAAY,EACV,YAAY,EACZ,UAAU,EACV,kBAAkB,EAClB,iBAAiB,EACjB,UAAU,EACV,eAAe,GAChB,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AAEvD,OAAO,KAAK,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAe3D,wBAAsB,WAAW,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,UAAU,CAAC,CAc5E;AAED,wBAAsB,kBAAkB,IAAI,OAAO,CAAC,UAAU,CAAC,CA4B9D"}

package/esm/src/proxy/cache/index.js

@@ -4,19 +4,26 @@
  * @module proxy/cache
  */
 export { MemoryCache } from "./memory-cache.js";
-export { RedisCache } from "./redis-cache.js";
 export { ResilientCache } from "./resilient-cache.js";
+export { TracingTokenCache } from "./tracing-cache.js";
 import { MemoryCache } from "./memory-cache.js";
-import { RedisCache } from "./redis-cache.js";
 import { ResilientCache } from "./resilient-cache.js";
+import { TracingTokenCache } from "./tracing-cache.js";
+import { tryResolve } from "../../extensions/contracts.js";
 import { getEnv } from "../../platform/compat/process.js";
 import { proxyLogger } from "../logger.js";
 import { withSpan } from "../tracing.js";
 const logger = proxyLogger.child({ module: "cache" });
+const MISSING_EXTENSION_INFO = "TokenCacheStore contract not provided — install @veryfront/ext-redis or scaffold extensions/ext-redis/";
 export async function createCache(options) {
     return withSpan("cache.create", async () => {
-        if (options.type === "redis")
-            return new RedisCache(options.options);
+        if (options.type === "redis") {
+            const tokenCache = tryResolve("TokenCacheStore");
+            if (tokenCache)
+                return new TracingTokenCache(tokenCache);
+            logger.info(MISSING_EXTENSION_INFO);
+            return new MemoryCache(undefined);
+        }
         return new MemoryCache(options.options);
     }, { "cache.type": options.type });
 }
@@ -25,18 +32,21 @@ export async function createCacheFromEnv() {
     return withSpan("cache.createFromEnv", async () => {
         if (cacheType !== "redis")
             return new MemoryCache();
-        const url = getEnv("REDIS_URL");
-        if (!url) {
-            logger.warn("[Cache] CACHE_TYPE=redis but REDIS_URL not set, falling back to memory");
+        const tokenCache = tryResolve("TokenCacheStore");
+        if (!tokenCache) {
+            // Redis was requested via config/env but no extension registered the
+            // TokenCacheStore contract. Log an info (misconfiguration, not error),
+            // then fall back to an in-memory cache so the proxy still boots.
+            logger.info(MISSING_EXTENSION_INFO);
             return new MemoryCache();
         }
-        const redisCache = new RedisCache({
-            url,
-            prefix: getEnv("REDIS_PREFIX") || "vf:token:",
-        });
-        // Wrap Redis with resilient fallback to memory cache
-        // This ensures the proxy continues to function when Redis is unavailable
-        logger.debug("[Cache] Using Redis with memory fallback (ResilientCache)");
-        return new ResilientCache(redisCache, new MemoryCache());
+        // Wrap the extension-provided cache with a memory fallback so a Redis
+        // outage does not take the proxy down. TracingTokenCache sits between
+        // ResilientCache and the extension impl so spans wrap the actual
+        // primary-cache attempt (mirrors the pre-extraction RedisCache which
+        // had inner withSpan calls).
+        logger.debug("[Cache] Using TokenCacheStore extension with memory fallback (ResilientCache)");
+        const traced = new TracingTokenCache(tokenCache);
+        return new ResilientCache(traced, new MemoryCache());
     }, { "cache.type": cacheType });
 }

package/esm/src/proxy/cache/tracing-cache.d.ts

@@ -0,0 +1,31 @@
+/**
+ * TracingTokenCache
+ *
+ * Wraps a {@link TokenCache} implementation and emits an OpenTelemetry span
+ * around each public method. This keeps extension-provided caches (such as
+ * `@veryfront/ext-redis`) tracer-agnostic: the extension implements the
+ * contract only, and the proxy applies observability at the factory boundary.
+ *
+ * Span names default to `cache.redis.<op>` to preserve the pre-extraction
+ * behavior of the in-tree RedisCache. Callers may override via
+ * {@link TracingTokenCacheOptions.spanPrefix} when wrapping a different
+ * backend.
+ */
+import type { CacheStats, TokenCache, TokenCacheEntry } from "./types.js";
+export interface TracingTokenCacheOptions {
+    /** Span name prefix, e.g. "cache.redis" produces "cache.redis.get". */
+    spanPrefix?: string;
+}
+export declare class TracingTokenCache implements TokenCache {
+    private readonly inner;
+    private readonly prefix;
+    constructor(inner: TokenCache, options?: TracingTokenCacheOptions);
+    get(key: string): Promise<TokenCacheEntry | null>;
+    set(key: string, entry: TokenCacheEntry): Promise<void>;
+    delete(key: string): Promise<void>;
+    clear(): Promise<void>;
+    has(key: string): Promise<boolean>;
+    stats(): Promise<CacheStats>;
+    close(): Promise<void>;
+}
+//# sourceMappingURL=tracing-cache.d.ts.map

package/esm/src/proxy/cache/tracing-cache.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tracing-cache.d.ts","sourceRoot":"","sources":["../../../../src/src/proxy/cache/tracing-cache.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAG1E,MAAM,WAAW,wBAAwB;IACvC,uEAAuE;IACvE,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAID,qBAAa,iBAAkB,YAAW,UAAU;IAClD,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAa;IACnC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;gBAEpB,KAAK,EAAE,UAAU,EAAE,OAAO,GAAE,wBAA6B;IAKrE,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,GAAG,IAAI,CAAC;IAQjD,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,eAAe,GAAG,OAAO,CAAC,IAAI,CAAC;IAQvD,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAQlC,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAItB,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAQlC,KAAK,IAAI,OAAO,CAAC,UAAU,CAAC;IAI5B,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;CAGvB"}

package/esm/src/proxy/cache/tracing-cache.js

@@ -0,0 +1,44 @@
+/**
+ * TracingTokenCache
+ *
+ * Wraps a {@link TokenCache} implementation and emits an OpenTelemetry span
+ * around each public method. This keeps extension-provided caches (such as
+ * `@veryfront/ext-redis`) tracer-agnostic: the extension implements the
+ * contract only, and the proxy applies observability at the factory boundary.
+ *
+ * Span names default to `cache.redis.<op>` to preserve the pre-extraction
+ * behavior of the in-tree RedisCache. Callers may override via
+ * {@link TracingTokenCacheOptions.spanPrefix} when wrapping a different
+ * backend.
+ */
+import { withSpan } from "../tracing.js";
+const DEFAULT_SPAN_PREFIX = "cache.redis";
+export class TracingTokenCache {
+    inner;
+    prefix;
+    constructor(inner, options = {}) {
+        this.inner = inner;
+        this.prefix = options.spanPrefix ?? DEFAULT_SPAN_PREFIX;
+    }
+    get(key) {
+        return withSpan(`${this.prefix}.get`, () => this.inner.get(key), { "cache.key": key });
+    }
+    set(key, entry) {
+        return withSpan(`${this.prefix}.set`, () => this.inner.set(key, entry), { "cache.key": key });
+    }
+    delete(key) {
+        return withSpan(`${this.prefix}.delete`, () => this.inner.delete(key), { "cache.key": key });
+    }
+    clear() {
+        return withSpan(`${this.prefix}.clear`, () => this.inner.clear());
+    }
+    has(key) {
+        return withSpan(`${this.prefix}.has`, () => this.inner.has(key), { "cache.key": key });
+    }
+    stats() {
+        return withSpan(`${this.prefix}.stats`, () => this.inner.stats());
+    }
+    close() {
+        return withSpan(`${this.prefix}.close`, () => this.inner.close());
+    }
+}

package/esm/src/proxy/cache/types.d.ts

@@ -2,7 +2,7 @@
  * Token Cache Interface
  *
  * Abstraction for storing OAuth tokens with TTL support.
- * Implementations: MemoryCache, RedisCache
+ * Implementations: MemoryCache (built-in), RedisCache (via @veryfront/ext-redis)
  */
 export interface TokenCacheEntry {
     token: string;

package/esm/src/proxy/cache/types.js

@@ -2,6 +2,6 @@
  * Token Cache Interface
  *
  * Abstraction for storing OAuth tokens with TTL support.
- * Implementations: MemoryCache, RedisCache
+ * Implementations: MemoryCache (built-in), RedisCache (via @veryfront/ext-redis)
  */
 export {};

package/esm/src/proxy/handler.d.ts

@@ -1,5 +1,12 @@
 import { type ParsedDomain } from "../server/utils/domain-parser.js";
 import type { TokenCache } from "./cache/types.js";
+/**
+ * Reset the cached AuthProvider. Intended for tests that `register()` a mock
+ * after the handler module has been imported.
+ *
+ * @internal
+ */
+export declare function __resetCachedAuthProviderForTests(): void;
 export declare const INTERNAL_PROXY_HEADERS: readonly ["x-token", "x-project-slug", "x-environment", "x-environment-id", "x-content-source-id", "x-forwarded-host", "x-project-path", "x-project-id", "x-release-id", "x-branch-id", "x-branch-name"];
 export interface ProxyConfig {
     apiBaseUrl: string;

package/esm/src/proxy/handler.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"handler.d.ts","sourceRoot":"","sources":["../../../src/src/proxy/handler.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,KAAK,YAAY,EAAsB,MAAM,kCAAkC,CAAC;AACzF,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAQnD,eAAO,MAAM,sBAAsB,0MAYzB,CAAC;AAmIX,MAAM,WAAW,WAAW;IAC1B,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,eAAe,EAAE,MAAM,CAAC;IACxB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,sBAAsB,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,aAAa,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACxC;AAED,MAAM,WAAW,YAAY;IAC3B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,WAAW,EAAE,SAAS,GAAG,YAAY,CAAC;IACtC,eAAe,EAAE,MAAM,CAAC;IACxB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,MAAM,CAAC;IACb,YAAY,EAAE,YAAY,CAAC;IAC3B,cAAc,EAAE,OAAO,CAAC;IACxB,KAAK,CAAC,EAAE;QACN,MAAM,EAAE,MAAM,CAAC;QACf,OAAO,EAAE,MAAM,CAAC;QAChB,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,WAAW,CAAC,EAAE,MAAM,CAAC;KACtB,CAAC;CACH;AAED,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,IAAI,CAAC;IAC9D,IAAI,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,IAAI,CAAC;IAC7D,IAAI,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,IAAI,CAAC;IAC7D,KAAK,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,KAAK,EAAE,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,IAAI,CAAC;CAC9E;AAED,MAAM,WAAW,mBAAmB;IAClC,MAAM,EAAE,WAAW,CAAC;IACpB,KAAK,CAAC,EAAE,UAAU,CAAC;IACnB,MAAM,CAAC,EAAE,WAAW,CAAC;CACtB;AAiGD,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,mBAAmB;0BA4Q1B,OAAO,KAAG,OAAO,CAAC,YAAY,CAAC;0BAmQ/B,OAAO,KAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC;;;;;;;;0BApd7C,MAAM,EAAE;;EAgfpC;AAED,MAAM,MAAM,YAAY,GAAG,UAAU,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEjE,wBAAgB,oBAAoB,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,YAAY,GAAG,OAAO,CAwB7E"}
+{"version":3,"file":"handler.d.ts","sourceRoot":"","sources":["../../../src/src/proxy/handler.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,KAAK,YAAY,EAAsB,MAAM,kCAAkC,CAAC;AACzF,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAuCnD;;;;;GAKG;AACH,wBAAgB,iCAAiC,IAAI,IAAI,CAExD;AAED,eAAO,MAAM,sBAAsB,0MAYzB,CAAC;AAqHX,MAAM,WAAW,WAAW;IAC1B,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,eAAe,EAAE,MAAM,CAAC;IACxB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,sBAAsB,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,aAAa,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACxC;AAED,MAAM,WAAW,YAAY;IAC3B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,WAAW,EAAE,SAAS,GAAG,YAAY,CAAC;IACtC,eAAe,EAAE,MAAM,CAAC;IACxB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,MAAM,CAAC;IACb,YAAY,EAAE,YAAY,CAAC;IAC3B,cAAc,EAAE,OAAO,CAAC;IACxB,KAAK,CAAC,EAAE;QACN,MAAM,EAAE,MAAM,CAAC;QACf,OAAO,EAAE,MAAM,CAAC;QAChB,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,WAAW,CAAC,EAAE,MAAM,CAAC;KACtB,CAAC;CACH;AAED,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,IAAI,CAAC;IAC9D,IAAI,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,IAAI,CAAC;IAC7D,IAAI,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,IAAI,CAAC;IAC7D,KAAK,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,KAAK,EAAE,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,IAAI,CAAC;CAC9E;AAED,MAAM,WAAW,mBAAmB;IAClC,MAAM,EAAE,WAAW,CAAC;IACpB,KAAK,CAAC,EAAE,UAAU,CAAC;IACnB,MAAM,CAAC,EAAE,WAAW,CAAC;CACtB;AAgGD,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,mBAAmB;0BA4Q1B,OAAO,KAAG,OAAO,CAAC,YAAY,CAAC;0BAmQ/B,OAAO,KAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC;;;;;;;;0BApd7C,MAAM,EAAE;;EAgfpC;AAED,MAAM,MAAM,YAAY,GAAG,UAAU,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEjE,wBAAgB,oBAAoB,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,YAAY,GAAG,OAAO,CAwB7E"}

package/esm/src/proxy/handler.js

@@ -5,7 +5,42 @@ import { cwd, getEnv } from "../platform/compat/process.js";
 import { join } from "../platform/compat/path/index.js";
 import { injectContext, ProxySpanNames, withSpan } from "./tracing.js";
 import { computeContentSourceId } from "../cache/keys.js";
-import { createRemoteJWKSet, decodeProtectedHeader, jwtVerify } from "jose";
+import { resolve as resolveContract } from "../extensions/contracts.js";
+/**
+ * Cache the resolved AuthProvider at module scope so the proxy does not pay
+ * the registry lookup on every request. The cache is cleared implicitly when
+ * `ExtensionLoader.teardownAll()` clears the registry — the next call
+ * re-resolves (or surfaces the "install ext-jwt" hint if the extension was
+ * removed).
+ */
+let cachedAuthProvider;
+function getAuthProvider() {
+    if (cachedAuthProvider)
+        return cachedAuthProvider;
+    try {
+        cachedAuthProvider = resolveContract("AuthProvider");
+        return cachedAuthProvider;
+    }
+    catch (err) {
+        // resolve() already throws with a helpful "Recommended: @veryfront/ext-jwt"
+        // message, but the proxy is a load-bearing code path — append a concrete
+        // remediation hint that names the project-root extension directory so
+        // the user knows exactly what's missing.
+        const base = err instanceof Error ? err.message : String(err);
+        throw new Error(`${base}\nTo enable JWT verification in the proxy, install ext-jwt ` +
+            `(scaffold with \`deno task cli extension init ext-jwt\` or add the ` +
+            `npm package @veryfront/ext-jwt).`, { cause: err });
+    }
+}
+/**
+ * Reset the cached AuthProvider. Intended for tests that `register()` a mock
+ * after the handler module has been imported.
+ *
+ * @internal
+ */
+export function __resetCachedAuthProviderForTests() {
+    cachedAuthProvider = undefined;
+}
 export const INTERNAL_PROXY_HEADERS = [
     "x-token",
     "x-project-slug",
@@ -40,21 +75,10 @@ function isSignedInternalControlPlaneRequest(req) {
     }
     return !!req.headers.get("x-token");
 }
-const remoteJwksByUrl = new Map();
-function getApiJwks(apiBaseUrl, logger) {
+function resolveApiJwksUrl(apiBaseUrl, logger) {
     try {
         const normalizedBaseUrl = apiBaseUrl.endsWith("/") ? apiBaseUrl : `${apiBaseUrl}/`;
-        const jwksUrl = new URL(".well-known/jwks.json", normalizedBaseUrl);
-        const cacheKey = jwksUrl.toString();
-        // Lazily initialize and cache JWKS in a single, idempotent step to avoid
-        // unsynchronized read/then-write on the shared Map across concurrent calls.
-        let jwks = remoteJwksByUrl.get(cacheKey);
-        if (!jwks) {
-            const created = createRemoteJWKSet(jwksUrl);
-            remoteJwksByUrl.set(cacheKey, created);
-            jwks = created;
-        }
-        return jwks;
+        return new URL(".well-known/jwks.json", normalizedBaseUrl).toString();
     }
     catch (error) {
         logger?.error("Invalid API base URL for JWKS lookup", error, {
@@ -130,22 +154,19 @@ function isMissingCustomDomainProjectError(error) {
     return /project not found for domain/i.test(message);
 }
 async function extractUserIdFromToken(token, apiBaseUrl, log) {
-    let algorithm;
-    try {
-        algorithm = decodeProtectedHeader(token).alg;
-    }
-    catch (error) {
-        log?.debug("Failed to decode JWT header", {
-            error: error instanceof Error ? error.message : String(error),
-        });
+    const auth = getAuthProvider();
+    const header = auth.decode(token);
+    if (!header) {
+        log?.debug("Failed to decode JWT header");
         return undefined;
     }
+    const algorithm = header.alg;
     if (algorithm === "RS256") {
-        const jwks = getApiJwks(apiBaseUrl, log);
-        if (!jwks)
+        const jwksUrl = resolveApiJwksUrl(apiBaseUrl, log);
+        if (!jwksUrl)
             return undefined;
         try {
-            const { payload } = await jwtVerify(token, jwks, {
+            const payload = await auth.verifyWithJwks(token, jwksUrl, {
                 algorithms: ["RS256"],
             });
             return payload.userId;
@@ -167,10 +188,10 @@ async function extractUserIdFromToken(token, apiBaseUrl, log) {
         return undefined;
     }
     try {
-        const secret = new TextEncoder().encode(jwtSecret);
-        const { payload } = await jwtVerify(token, secret, {
-            algorithms: ["HS256"],
-        });
+        // ext-jwt reads JWT_SECRET from the environment when no `secret` was
+        // passed to the extension factory; the explicit env check above is kept
+        // so callers can warn once before we attempt verification.
+        const payload = await auth.verify(token, { algorithms: ["HS256"] });
         return payload.userId;
     }
     catch (error) {

package/esm/src/utils/version-constant.d.ts

@@ -1,2 +1,2 @@
-export declare const VERSION = "0.1.217";
+export declare const VERSION = "0.1.218";
 //# sourceMappingURL=version-constant.d.ts.map

package/esm/src/utils/version-constant.js

@@ -1,3 +1,3 @@
 // Keep in sync with deno.json version.
 // scripts/release.ts updates this constant during releases.
-export const VERSION = "0.1.217";
+export const VERSION = "0.1.218";